From patchwork Tue Sep 10 14:37:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8097 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sl16y6z3wdh for ; Tue, 10 Sep 2024 14:38:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sg6Nsdz67y; Tue, 10 Sep 2024 14:38:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sg3zBJz34GK; Tue, 10 Sep 2024 14:38:15 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sJ09n1z34Gb for ; Tue, 10 Sep 2024 14:37:56 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH4NmSz5nb; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH0wYtzTkHp; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 07/20] suricata: Be more efficient with marks Date: Tue, 10 Sep 2024 14:37:20 +0000 Message-Id: <20240910143748.3469271-8-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: I5UFPBPVKQVFM7ZUVPZMCWA5XRRRSDGS X-Message-ID-Hash: I5UFPBPVKQVFM7ZUVPZMCWA5XRRRSDGS X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This patch changes that we introduce a new mark which allows us to identify any newly bypassed connections and permanently store the bypass flag. We also only restore marks from the connection tracking when a packet has no marks, yet. Tested-by: Adolf Belka Signed-off-by: Michael Tremer --- src/initscripts/system/firewall | 2 +- src/initscripts/system/suricata | 20 +++++++++++++------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 39d9c0f23..5d37cffd7 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -160,7 +160,7 @@ iptables_init() { iptables -A CTOUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT # Restore any connection marks - iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark + iptables -t mangle -A PREROUTING -m mark --mark 0 -j CONNMARK --restore-mark # Fix for braindead ISPs iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 30a81333f..20afab130 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -29,8 +29,14 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) IPS_REPEAT_MARK="0x80000000" IPS_REPEAT_MASK="0x80000000" -IPS_BYPASS_MARK="0x40000000" -IPS_BYPASS_MASK="0x40000000" + +# The IPS requested that this connection is being bypassed +IPS_BYPASS_REQUESTED_MARK="0x40000000" +IPS_BYPASS_REQUESTED_MASK="0x40000000" + +# Marks a connection to be bypassed +IPS_BYPASS_MARK="0x20000000" +IPS_BYPASS_MASK="0x20000000" # Optional options for the Netfilter queue. NFQ_OPTS=( @@ -72,6 +78,11 @@ generate_fw_rules() { # Don't process packets where the IPS has requested to bypass the stream iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN + # If suricata decided to bypass a stream, we will store the mark in the connection tracking table + iptables -w -t mangle -A IPS \ + -m mark --mark "$(( IPS_BYPASS_REQUESTED_MARK ))/$(( IPS_BYPASS_REQUESTED_MASK ))" \ + -j CONNMARK --set-mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" + # Don't process packets that have already been seen by the IPS iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN @@ -93,11 +104,6 @@ generate_fw_rules() { # Send packets to suricata iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}" - # If suricata decided to bypass a stream, we will store the mark in the connection tracking table - iptables -w -t mangle -A IPS \ - -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" \ - -j CONNMARK --save-mark --mask "$(( IPS_BYPASS_MASK ))" - return 0 }